[This rule designated an internal management rule]
(A) HIPAA is a federal law that, among other regulation, requires the protection of confidentiality and security of health data including the safeguarding, privacy, and release of protected health information (PHI).
(B) PHI includes, but is not limited to, the following individually identifiable health information of public assistance applicants, recipients, and former recipients:
(1) Information relating to past, present, or future physical or mental health or condition of an individual;
(2) Provision of health care of an individual;
(3) Past, present, or future payment for health care to an individual; and
(4) Eligibility information of an individual for the medicaid, disability medical assistance or refugee medical assistance program, or any other plan or program that provides medical assistance or pays the cost of medical care.
(C) All current and future recipients of medicaid, disability medical assistance, and refugee medical assistance, or any other plan or program that provides medical assistance or pays the cost of medical care, received or will receive a privacy notice outlining the following descriptions of uses and disclosures, and recipient procedures:
(1) A description of the types of uses and disclosures of PHI the Ohio department of job and family services (ODJFS) or its delegated entity is permitted with examples to include payment, treatment, and healthcare operations;
(2) A description of other uses and disclosures permitted under HIPAA without written consent or authorization to include examples such as required by law;
(3) A statement that other uses and disclosures will be made only with the individual's written authorization;
(4) Complaint procedure;
(5) Request for restriction procedure;
(6) Request for amendment procedure; and
(7) Request for accounting procedure.
(D) If a recipient of benefits identified in paragraph (C) of this rule requests any of the procedures outlined in paragraphs (C)(4) to (C)(7) of this rule from the county agency or entity acting on behalf of ODJFS who collects and maintains the information identified in paragraph (B) of this rule through which the recipient participates, the county agency or entity acting on behalf of ODJFS shall do one of the following:
(1) Refer the recipient to the ODJFS privacy official by providing the recipient with the appropriate phone number; or
(2) Provide the recipient with a copy of the HIPAA privacy notice outlining the procedures set out in paragraphs (C)(4) to (C)(7) of this rule and notice identifying whom the recipient may contact to initiate those procedures (see http://www.state.oh.us/odjfs/hipaa/privacy.pdf).